From mboxrd@z Thu Jan  1 00:00:00 1970
From: Greg KH <gregkh@linuxfoundation.org>
Date: Tue, 15 Oct 2019 18:23:36 +0000
Subject: Re: [PATCH v2] usb: usbfs: Suppress problematic bind and unbind uevents.
Message-Id: <20191015182336.GA1136990@kroah.com>
List-Id: <linux-hotplug.vger.kernel.org>
References: <20191011115518.2801-1-ingo.rohloff@lauterbach.com>
In-Reply-To: <20191011115518.2801-1-ingo.rohloff@lauterbach.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: Ingo Rohloff <ingo.rohloff@lauterbach.com>
Cc: linux-usb@vger.kernel.org, linux-hotplug@vger.kernel.org

On Fri, Oct 11, 2019 at 01:55:18PM +0200, Ingo Rohloff wrote:
> commit 1455cf8dbfd0 ("driver core: emit uevents when device is bound
> to a driver") added bind and unbind uevents when a driver is bound or
> unbound to a physical device.
> 
> For USB devices which are handled via the generic usbfs layer (via
> libusb for example), this is problematic:
> Each time a user space program calls
>    ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr);
> and then later
>    ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr);
> The kernel will now produce a bind or unbind event, which does not
> really contain any useful information.
> 
> This allows a user space program to run a DoS attack against programs
> which listen to uevents (in particular systemd/eudev/upowerd):
> A malicious user space program just has to call in a tight loop
> 
>    ioctl(usb_fd, USBDEVFS_CLAIMINTERFACE, &usb_intf_nr);
>    ioctl(usb_fd, USBDEVFS_RELEASEINTERFACE, &usb_intf_nr);
> 
> With this loop the malicious user space program floods the kernel and
> all programs listening to uevents with tons of bind and unbind
> events.
> 
> This patch suppresses uevents for ioctls USBDEVFS_CLAIMINTERFACE and
> USBDEVFS_RELEASEINTERFACE.
> 
> Signed-off-by: Ingo Rohloff <ingo.rohloff@lauterbach.com>
> ---
> 
> Notes:
>     v2:
>     Patch only single file (devio.c), try to only suppress uevents while
>     usb_driver_claim_interface/usb_driver_release_interface are called.
>     Try to restore old state of dev->kobj.uevent_suppress.

Thanks for cleaning this up.  It looks much nicer now.  I've queued it
up in my tree, let's see how testing goes :)

thanks,

greg k-h